Transcript

Friday, November 25, 2011

BROOKE GLADSTONE: You know, you don't actually need skills to hack into voicemails because often the people you want to hack make it laughably easy. So as our holiday gift to you we’re rerunning our interview with WNYC’s John Keefe, who picked up some tips on how to safeguard your voicemails, after he essentially hacked into his own and those of his colleagues.

JOHN KEEFE: And just to be clear, we all did it together.

[LAUGHTER]

I did not [LAUGHS] break into anybody else's phones unauthorized.

Basically here's the deal: A lot of cell phone companies allow you to check your voicemail from your own phone, without a password, right? So if you're somewhere else and you’re at somebody else's phone, you need a four-digit code to hear your messages, but not from your own phone.

The way that works is that the voicemail system sees your caller ID and goes oh, that's Brooke, I'm, I'm okay with that. Here are your voicemails.

What I did with the computer is I paid ten dollars to a service that fakes caller ID numbers. So I put in my own phone number into the computer and then got into my voicemail system. The voicemail system said, “Oh, John’s calling, here are your voicemail messages."

BROOKE GLADSTONE: So this service - you paid ten bucks in order to have it spoof or fake the caller ID, simply by you plugging in somebody's phone number - seems like a clear violation of privacy. This doesn't seem legal.

JOHN KEEFE: Well, the spoofing of caller ID numbers in and of itself is not illegal. Under the Truth in Caller ID Act of 2009, it’s clearly not legal if you're faking a caller ID with, quote, “the intent to defraud, cause harm or wrongfully obtain anything of value.” I would-

[OVERTALK]

BROOKE GLADSTONE: Who's to say if a voicemail is of value?

JOHN KEEFE: I’m not a lawyer. I'm not sure. [LAUGHS] But it seems to me if not illegal, definitely unethical.

BROOKE GLADSTONE: And what would the legitimate purpose of such a service be?

JOHN KEEFE: Maybe you want to make a phone call to somebody and you don't want them to know what your real phone number is. They actually pitch it as a privacy tool, that you can make a phone call without having to reveal your own phone number.

BROOKE GLADSTONE: Now, I have a Verizon phone and I always have to put in the 4-digit password.

JOHN KEEFE: That's right. And that's true for Verizon phones, actually. A spokesperson told me that. We tried four different companies. We tried AT&T, Sprint, T-Mobile and Verizon. And we were able to actually listen to voicemail messages - and, again, all voluntarily – of both of the AT&T phones and one of the Sprint phones. We weren't able to listen to the two T-Mobile phones that we had or the Verizon accounts either.

BROOKE GLADSTONE: The bottom line here is that it's unbelievably easy to hack into anybody’s voicemail if they have AT&T or Sprint. Is that not true?

JOHN KEEFE: A spokesman for AT&T told me that they have this feature that allows you to access your voicemail from your own phone without a password, and that they strongly encourage that people set their passwords for that.

A spokesperson for Sprint said that they too offer that option, and they warn their customers that when they’re setting up their voicemail that if they don't add that four-digit pin that it could leave your voicemail vulnerable.

I’ll tell you that the ease in which I was able to use a computer, without a password and without my own phone, to hear the voicemail of my wife from the day before was really startling.

BROOKE GLADSTONE: Okay, so in this consumer News You Can Use segment, you offer three bits of advice to protect privacy.

JOHN KEEFE: That’s right. So the first one appears to be that if you add these 4-digit codes to your ability to hear your voicemail, even from your own handset, that is a help.

The second thing is that you can delete your voicemail messages, right? If there’s nothing to listen to, there’s nothing to listen to. If you’re not interested in having that 4-digit code, that’s another way to do it.

The third thing is that every time we did this little trick, a byproduct of it was that it left a missed call on our phone, from our own phone number. If you ever were to get that on your phone, I would be very suspicious.